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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 
x Yes 
No 
O Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 


x] 


Does the draft guidance contain enough examples? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


There should be a few more sector specific examples, in particular relating to local 


government. See next section for some examples. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


You state that organisations should have adequate information management systems 
given that data protection legislation has been in place since the 1980s. However, you are 
not considering that faced with ever increasing budget cuts, delivery of front-line 
statutory services has for decades trumped the upgrade/replacement of systems and 
databases. Most local authorities have multiple functions (KCC has several hundred 
separate departments) that are using a multitude of stand-alone legacy systems that 
don't talk to each other. Imagine the headlines if a local authority said it was spending 
tens of millions to replace legacy systems to facilitate SARs at the expense of care homes 
and repairing potholes? KCC does not have a single central database/electronic document 
management system that can be easily be interrogated using a name or search term and 
it can often take days to ascertain who may hold a data subject’s information especially if 
the data subject refuses to clarify their request. In fact, if SARs fell under FOIA, we would 
be relying on section 12 FOIA (exceeds appropriate limit) 90% of the time and that is just 
to establish if we hold the information! 


You say that volume of records alone does not make a request complex. However, 
subject access requests, especially for social care records can be extremely problematic 
and labour intensive. Often there are decades of records, both paper and electronic, and 
information about family members is intrinsically linked making redaction not only difficult 


but time consuming. Prior to GDPR, one data subject’s records (she had been in care 
since she was a baby and was then in her 20’s), took over a year to copy and send out. 
There is no way that one month is sufficient to locate, collate and prepare records to 
satisfy most subject access requests involving social care without adversely impacting on 
front-line services. 


Many of the 500+ subject access requests we receive each year appear to just be another 
weapon in a complainant’s arsenal to progress a complaint or dispute that they have with 
another team or department. One frequent complainant has submitted a number of SARs 
over the years, not only for her own data, but also for her children’s data. The children 
are now submitting their SARs in their own right as well, but their parent is remaining 
involved in the children’s SARs as she is acting ‘on their behalf’. They expect a copy each, 
often of the same data. These SARs almost always follow a disagreement with one or 
more of the dozen service units that this family are involved with. Anything that KCC does 
is met with a complaint, which then is escalated to the ICO or any other regulatory body 
(ie LG&SCO). An outcome not in the data subject’s favour then results in a complaint 
about the regulatory body. Would this be classed as manifestly unfounded or excessive? 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O L 


Q6 Why have you given this score? 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O O Xl 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


The guidance is comprehensive, in plain English and easy to understand. It has reassured 
us that we are, in the main, interpreting the legislation correctly as we already have in 
place all the steps you have listed in the “preparing for SARs” section. 


We also noticed that this guidance states that data subjects do have a right to “ask for 


everything you hold about me” but this contradicts your guidance to members of the 
public on what not to include when making a request | https ://ico.org.uk/your- data- 


access-request/. 


Q9 Are you answering as: 


O An individual acting in a private capacity (e.g. 
someone providing their views as a member of the 
public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Kent County Council 


What sector are you from: 


Local Government 


Q10 How did you find out about this survey? 


O ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


oOouRx X O 


Personal/work Twitter account 


O Personal/work Facebook account 
O Personal/work LinkedIn account 
O Other 


Thank you for taking the time to complete the survey. 


